### # RESTRICTED_INCOMING_TRAFFIC tests ### --- - name: Empty, SKIP input: {} expectations: rules: RESTRICTED_INCOMING_TRAFFIC: SKIP - name: No resources, SKIP input: Resources: {} expectations: rules: RESTRICTED_INCOMING_TRAFFIC: SKIP - name: Security Group with no TCP or UPD ingress, SKIP input: Resources: ExampleSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Allow ICMP inbound and outbound traffic" SecurityGroupIngress: - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: 192.168.0.0/16 expectations: rules: RESTRICTED_INCOMING_TRAFFIC: SKIP - name: Security Group with no common port open, PASS input: Resources: ExampleSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Allow port 22 SHH inbound and outbound traffic" SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 192.168.0.0/16 - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: 192.168.0.0/16 expectations: rules: RESTRICTED_INCOMING_TRAFFIC: PASS - name: Security Group with port 20 open, FAIL input: Resources: ExampleSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Allow port 20 inbound and outbound traffic" SecurityGroupIngress: - IpProtocol: tcp FromPort: 20 ToPort: 20 CidrIp: 192.168.0.0/16 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 192.168.0.0/16 expectations: rules: RESTRICTED_INCOMING_TRAFFIC: FAIL - name: Security Group with port 20 open but rule suppressed, SKIP input: Resources: ExampleSecurityGroup: Type: AWS::EC2::SecurityGroup Metadata: guard: SuppressedRules: - RESTRICTED_INCOMING_TRAFFIC Properties: GroupDescription: "Allow port 20 inbound and outbound traffic" SecurityGroupIngress: - IpProtocol: tcp FromPort: 20 ToPort: 20 CidrIp: 192.168.0.0/16 expectations: rules: RESTRICTED_INCOMING_TRAFFIC: SKIP